ubuntustudio-bugs team mailing list archive

Thread
Date

[Bug 1460403] Re: Shell Command Injection in cmyk-tiff-2-cmyk-pdf.py

To: ubuntustudio-bugs@xxxxxxxxxxxxxxxxxxx
From: Bernd Dietzel <1460403@xxxxxxxxxxxxxxxxxx>
Date: Tue, 30 Jun 2015 15:52:33 -0000
Reply-to: Bug 1460403 <1460403@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to gimp-plugin-registry in Ubuntu.
Matching subscriptions: Ubuntu Studio Bugs
https://bugs.launchpad.net/bugs/1460403

Title:
  Shell Command Injection in cmyk-tiff-2-cmyk-pdf.py

Status in gimp-plugin-registry package in Ubuntu:
  Incomplete

Bug description:
  File :
  /usr/share/gimp/2.0/scripts/cmyk-tiff-2-cmyk-pdf.py

  is vulnerable for Shell Command injections because it uses old
  "os.system" command in multiple lines.

  For example line No. 108 
  can be attacked when "cmd" or "this_file2" contails Shell Commands  :

  if os.path.isfile(this_file2):
  			command = "%s \"%s\" &" % (this_cmd, this_file2)
  			os.system(command)	

  
  Please change all os.system calls to subprocess.Popen()

  Thank you ;-)

  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: gimp-plugin-registry 7.20140602ubuntu1
  ProcVersionSignature: Ubuntu 3.19.0-18.18-generic 3.19.6
  Uname: Linux 3.19.0-18-generic x86_64
  NonfreeKernelModules: nvidia
  ApportVersion: 2.17.2-0ubuntu1.1
  Architecture: amd64
  CurrentDesktop: KDE
  Date: Sun May 31 12:30:37 2015
  InstallationDate: Installed on 2015-05-15 (15 days ago)
  InstallationMedia: Kubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
  SourcePackage: gimp-plugin-registry
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gimp-plugin-registry/+bug/1460403/+subscriptions